Efficient Model Checking Technique for Finding Software Defects

1. A method for detecting defects in a computer program, comprising: obtaining, by a processor, a plurality of source code and a potential defect definition; identifying, based on the potential defect definition, a plurality of program objects associated with a potential defect in the plurality of source code; extracting an executable program slice having the potential defect from the plurality of source code; generating, by a processor, an abstracted model of the program slice by: modeling, using data abstraction, the plurality of program objects as a plurality of data-abstracted variables that represent a reduced set of possible states of the plurality of program objects, identifying, within the program slice, a first plurality of control statements comprising a first plurality of predicates necessary for evaluating the first plurality of control statements, modeling, using predicate abstraction, the plurality of predicates as a plurality of predicate-abstracted Boolean variables that represent a reduced set of possible states of the first plurality of control statements, identifying, within the program slice, a plurality of statements modifying the plurality of data-abstracted variables and the plurality of predicate-abstracted Boolean variables, creating, based on the plurality of data-abstracted variables and the plurality of predicate-abstracted Boolean variables, a state of a finite state machine (FSM) model of the program slice for each of the plurality of statements, and creating, based on a plurality of execution paths of the program slice, a transition of the FSM connecting each state of the FSM to at least one other state of the FSM; and identifying an error state of the FSM indicating an occurrence of the potential defect within the program slice.

2. The method of claim 1 , further comprising: identifying, within the program slice, a second plurality of control statements comprising a second plurality of predicates necessary for evaluating the second plurality of control statements, wherein the first plurality of control statements and the second plurality of control statements are mutually exclusive; and modeling, using data abstraction and based solely upon the plurality of data-abstracted variables and the second plurality of control statements, the second plurality of predicates as a plurality of data-abstracted control variables that represent a reduced set of possible states of the second plurality of control statements, wherein the FSM is further based on the plurality of data-abstracted control variables.

3. The method of claim 1 , further comprising: creating, based on a type of the potential defect, a virtual memory address comprising a virtual status in order to model at least one of the plurality of program objects; identifying, using data abstraction, a set of virtual memory statuses that represent a reduced set of possible states of the virtual memory address; and tracking a value of the virtual status for each state of the FSM, wherein the value of the virtual status is selected from the set of virtual memory statuses.

4. The method of claim 1 , wherein identifying the error state of the FSM comprises: identifying a plurality of end states of the FSM; identifying, within an end state of the plurality of end states, a value of a data-abstracted variable of the plurality of data-abstracted variables that indicates the occurrence of the potential defect; and flagging the end state as the error state.

5. The method of claim 1 , wherein the program slice comprises the plurality of program objects, and wherein each of a plurality of statements within the program slice modifies a state of a program object of the plurality of program objects.

6. The method of claim 1 , wherein the potential defect is one selected from a group consisting of an arithmetic defect and a multi-threading defect.

7. The method of claim 1 , wherein the potential defect is a memory leak associated with an instance of memory allocation in the plurality of source code, and wherein the plurality of program objects comprises a pointer to the instance of memory allocation.

8. A non-transitory computer-readable storage medium storing a plurality of instructions for detecting defects in a computer program, the plurality of instructions comprising functionality to: obtain a plurality of source code and a potential defect definition; identify, based on the potential defect definition, a plurality of program objects associated with a potential defect in the plurality of source code; extract an executable program slice having the potential defect from the plurality of source code; generate an abstracted model of the program slice by: modeling, using data abstraction, the plurality of program objects as a plurality of data-abstracted variables that represent a reduced set of possible states of the plurality of program objects, identifying, within the program slice, a first plurality of control statements comprising a first plurality of predicates necessary for evaluating the first plurality of control statements, modeling, using predicate abstraction, the plurality of predicates as a plurality of predicate-abstracted Boolean variables that represent a reduced set of possible states of the first plurality of control statements, identify, within the program slice, a plurality of statements modifying the plurality of data-abstracted variables and the plurality of predicate-abstracted Boolean variables, create, based on the plurality of data-abstracted variables and the plurality of predicate-abstracted Boolean variables, a state of a finite state machine (FSM) model of the program slice for each of the plurality of statements, and create, based on a plurality of execution paths of the program slice, a transition of the FSM connecting each state of the FSM to at least one other state of the FSM; and identify an error state of the FSM indicating an occurrence of the potential defect within the program slice.

9. The non-transitory computer-readable storage medium of claim 8 , wherein the plurality of instructions further comprise functionality to: identify, within the program slice, a second plurality of control statements comprising a second plurality of predicates necessary for evaluating the second plurality of control statements, wherein the first plurality of control statements and the second plurality of control statements are mutually exclusive; and model, using data abstraction and based solely upon the plurality of data-abstracted variables and the second plurality of control statements, the second plurality of predicates as a plurality of data-abstracted control variables that represent a reduced set of possible states of the second plurality of control statements, wherein the FSM is further based on the plurality of data-abstracted control variables.

10. The non-transitory computer-readable storage medium of claim 8 , further comprising: creating, based on a type of the potential defect, a virtual memory address comprising a virtual status in order to model at least one of the plurality of program objects; identifying, using data abstraction, a set of virtual memory statuses that represent a reduced set of possible states of the virtual memory address; and tracking a value of the virtual status for each state of the FSM, wherein the value of the virtual status is selected from the set of virtual memory statuses.

11. The non-transitory computer-readable storage medium of claim 8 , wherein identifying the error state of the FSM comprises: identifying a plurality of end states of the FSM; identifying, within an end state of the plurality of end states, a value of a data-abstracted variable of the plurality of data-abstracted variables that indicates the occurrence of the potential defect; and flagging the end state as the error state.

12. The non-transitory computer-readable storage medium of claim 8 , wherein the program slice comprises the plurality of program objects, and wherein each of a plurality of statements within the program slice modifies a state of a program object of the plurality of program objects.

13. The non-transitory computer-readable storage medium of claim 8 , wherein the potential defect is one selected from a group consisting of an arithmetic defect and a multi-threading defect.

14. The non-transitory computer-readable storage medium of claim 8 , wherein the potential defect is a memory leak associated with an instance of memory allocation in the plurality of source code, and wherein the plurality of program objects comprises a pointer to the instance of memory allocation.

15. A system for detecting defects in a computer program, comprising: a processor; a defect analysis tool executing on the processor and configured to: obtain a plurality of source code and a potential defect definition, identify, based on the potential defect definition, a plurality of program objects associated with a potential defect in the plurality of source code; extract an executable program slice having the potential defect from the plurality of source code; a model generator executing on the processor and configured to generate an abstracted model of the program slice by: modeling, using data abstraction, the plurality of program objects as a plurality of data-abstracted variables that represent a reduced set of possible states of the plurality of program objects, identifying, within the program slice, a first plurality of control statements comprising a first plurality of predicates necessary for evaluating the first plurality of control statements, modeling, using predicate abstraction, the plurality of predicates as a plurality of predicate-abstracted Boolean variables that represent a reduced set of possible states of the first plurality of control statements, identifying, within the program slice, a plurality of statements modifying the plurality of data-abstracted variables and the plurality of predicate-abstracted Boolean variables, creating, based on the plurality of data-abstracted variables and the plurality of predicate-abstracted Boolean variables, a state of a finite state machine (FSM) model of the program slice for each of the plurality of statements, and creating, based on a plurality of execution paths of the program slice, a transition of the FSM connecting each state of the FSM to at least one other state of the FSM; and a model checker executing on the processor and configured to: identify an error state of the FSM indicating an occurrence of the potential defect within the program slice.

16. The system of claim 15 , wherein the model generator is further configured to generate the abstracted model of the program slice by: identifying, within the program slice, a second plurality of control statements comprising a second plurality of predicates necessary for evaluating the second plurality of control statements, wherein the first plurality of control statements and the second plurality of control statements are mutually exclusive; and modeling, using data abstraction and based solely upon the plurality of data-abstracted variables and the second plurality of control statements, the second plurality of predicates as a plurality of data-abstracted control variables that represent a reduced set of possible states of the second plurality of control statements, wherein the FSM is further based on the plurality of data-abstracted control variables.

17. The system of claim 15 , further comprising: creating, based on a type of the potential defect, a virtual memory address comprising a virtual status in order to model at least one of the plurality of program objects; identifying, using data abstraction, a set of virtual memory statuses that represent a reduced set of possible states of the virtual memory address; and tracking a value of the virtual status for each state of the FSM, wherein the value of the virtual status is selected from the set of virtual memory statuses.